Re: apache and nimbda
From: Matthew Knecht (mknecht@NPCA.ORG)Date: 01/29/02
- Previous message: Martin Glazer: "Re: apache and nimbda"
- Maybe in reply to: Brian Clifton: "apache and nimbda"
- Next in thread: Teodor Cimpoesu: "Re: apache and nimbda"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Jan 2002 23:47:21 -0500 From: "Matthew Knecht" <mknecht@NPCA.ORG> To: <crg@monster.gotadsl.co.uk>, <brian@omegadm.co.uk>
If you have access and administrative privileges to your border router
(and you use Cisco equipment), you can block Nimda and Code Red-style
attacks at the gateway. There's probably a way to do it with other
vendor's equipment as well. Alternatively, you can put pressure on your
ISP to do the same thing for you if you are not responsible for the
management of your router.
The following from our Cisco consultant, to identify and route requests
containing Nimda-specific URLs to null interface of the router:
<snip>
You will want to add these commands to your ISP router. It will
mitigate
most of the NIMDA virus items, but not the browser pieces. The router
may need to be upgraded to at least a Cisco 2600 with IOS 12.1(5)T
ip cef
class-map match-any http-hacks
match protocol http url "*default.ida*"
match protocol http url "*x.ida*"
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*readme.eml*"
policy-map mark-inbound-http-hacks
class http-hacks
set ip dscp 1
interface fastethernet1/0 (should be the ingress interface or the
interface connected to the ISP network)
service-policy input mark-inbound-http-hacks
access-list 199 (may need to be altered based on any other
access-lists
present) permit ip any any dscp 1
route-map null_policy_route 11
match ip address 199 (same ACL number as above)
set interface Null0
interface fastethernet1/0 (should be the ingress interface or the
interface connected to the ISP network)
ip policy route-map null_policy_route
</snip>
On Mon, 2002-01-28 at 09:49, Brian Clifton wrote:
> Dear All
>
> Is there a way to stop apache responding to .exe file requests
altogether?
>
> I am getting fed up with my error_log file being filled by nimbda and
we don't host any .exe files!! I have been monitoring
> it since the summer and the number of nimbda type entries appears to
have started to go up again since xmas...
>
> Any thoughts greatly appreciated...
>
> Thanks in advance, Brian
___________________
Matthew A. Knecht
System Administrator
National Parks Conservation Association
202-454-3368 (desk)
202-302-0310 (cell)
mknecht@npca.org
- Previous message: Martin Glazer: "Re: apache and nimbda"
- Maybe in reply to: Brian Clifton: "apache and nimbda"
- Next in thread: Teodor Cimpoesu: "Re: apache and nimbda"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
